Here are the results of my analysis of TrickBot Banking Trojan mcconfs shared up to the end of the week commencing 18th December 2017. This analysis covers 1,111 unique C2 IP addresses used in 234 mcconfs across 101 versions, with a highest version of 1000109.
The following graph shows the rate of discovery of TrickBot versions in the wild, based on shared mcconfs. (Note: The flatter the line, the more frequently versions are discovered.)
Six versions were discovered in the last week (1000021, 1000106, 1000107, 1000108, 1000109, and 1000022), four the week before, and five the week before that. Two of the versions discovered have early version numbers (1000021 and 1000022) but only include new C2 servers. While my data does not include these versions from their ‘first use’, it seems these version numbers are being re-purposed in new campaigns, identified by group tags beginning ‘solinger’.
- 443 (HTTPS);
- 445 (IBM AS Server Mapper) – INACTIVE;
- 449 (Cray Network Semaphore Server); and
- 451 (SMB) – INACTIVE.
The following table shows the top 25 servers (of 1,111 unique) used within the 101 versions. There were three changes from the previous week, with 200[.]111.97.235:449, 82[.]146.48.44:443, and 94[.]250.253.142:443 moving into the top 25.
Thanks to @mpvillafranca94, @JR0driguezB, @0bscureC0de, @virsoz, @spalomaresg, @VK_Intel, @K_N1kolenko, @hasherezade, @botNET___, @ArnaudDlms, @StackGazer, @voidm4p, @James_inthe_box, @MakFLwana, @_ddoxer, @moutonplacide, @JasonMilletary,@Ring0x0, @precisionsec, @Techhelplistcom, @pollo290987, @MalHunters and @coldshell for sharing the mcconfs.
Article Link: http://escinsecurity.blogspot.com/2017/12/weekly-trickbot-analysis-end-of-wc-18.html